logo

Database

Improper authorization control for web services In www.velocidex.com/golang/velociraptor

Description

Velocidex Velociraptor has an authorization bypass vulnerability An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-75732. NVD-2026-75733. OSV-2026-75734. GCVE-2026-7573

References

1. https://docs.velociraptor.app/announcements/advisories/cve-2026-7573

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.